A smart contract bug in decentralized finance (DeFi) protocol SushiSwap led to losses of more than $3 million in the early hours of April 9, according to several security reports on Twitter.
Blockchain security firms CertiK Alert and Peckshield have published anomalous activity related to the approval function in Sushi’s Router Processor 2 contract a smart contract that aggregates trade liquidity from multiple sources and determines the value of the exchanged coins. The best price. Within hours, the error resulted in a loss of $3.3 million. According to DefiLlama alias developer 0xngmi, the hack should only affect users who have exchanged protocols in the past four days.
Sushi’s lead developer, Jared Gray, urged users to revoke permission for all contracts on the protocol. "Sushi's RouteProcessor2 contract has an approval error; please revoke approval as soon as possible. We are working with the security team to mitigate this issue," he said. A list of contracts on GitHub with different blockchains that need to be revoked has been created to address this issue. Hours after the incident, Gray announced on Twitter that "most of the affected funds" had been recovered through White Hat security procedures. “We have confirmed that over 300 ETH has been recovered from CoffeeBabe of Sifu’s stolen funds. We are in contact with Lido’s team regarding an additional 700 ETH.”
It's been an intense weekend for the sushi community. On April 8, Gray and his attorneys commented on the recent SEC subpoena. "The SEC's investigation is a private fact-finding attempt to determine whether any violations of the federal securities laws have occurred. To the best of our knowledge, the SEC has not identified (as of this writing) any individuals connected to Sushi conclusions that violate the U.S. federal securities laws," he said.
Gray claimed to be cooperating with the investigation. On March 21, a legal defense fund against the subpoena was raised on Sushi’s governance forum.
